The Internet of TR-069 Things · •Each device/firmware version has a different address space...
Transcript of The Internet of TR-069 Things · •Each device/firmware version has a different address space...
![Page 1: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/1.jpg)
![Page 2: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/2.jpg)
![Page 3: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/3.jpg)
![Page 4: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/4.jpg)
![Page 5: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/5.jpg)
![Page 6: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/6.jpg)
![Page 7: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/7.jpg)
![Page 8: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/8.jpg)
![Page 9: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/9.jpg)
![Page 10: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/10.jpg)
![Page 11: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/11.jpg)
![Page 12: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/12.jpg)
![Page 13: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/13.jpg)
![Page 14: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/14.jpg)
• Awesome viral video that we liked
• Written and directed by Casper Kelly
• Watch it
![Page 15: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/15.jpg)
• Malware and Vulnerability Research @ Check Point
1. Find Problems
2. Tell Vendors
3. Share with Community
![Page 16: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/16.jpg)
• TR-069 quick tour / DEF CON recap
• Motivation
• The TR-069 Census 2014
• Research Highlights
• Mass Pwnage BORDERLINE-LEGAL DEMO HERE
• A Pessimistic Outlook
![Page 17: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/17.jpg)
• a.k.a. CPE WAN Management Protocol (CWMP)
– 2004: v1.0
– 2013: v1.4 (amendment 5)
– 2015: amendment 6?
• This is what ISPs use to provision, monitor and configure your
home routers (and more)
![Page 18: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/18.jpg)
SOAP RPC (XML over HTTP)
Always initiates session
Dual authentication mechanism
ACS can issue “Connection Request”
![Page 19: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/19.jpg)
• Presented at DEF CON 22
• Our research uncovered implementation and configuration flaws
in many ISP’s ACS deployments
– ACSs are a single point of pwnage in modern ISP infrastructure
– Many TR-069 implementations just aren’t serious enough
– Leads to ISP fleet takeover
![Page 20: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/20.jpg)
• "The ACS can at any time request that the CPE initiate a
connection to the ACS using the Connection Request notification
mechanism. Support for this mechanism is REQUIRED in a CPE.”
(from TR-069)
Zmap white paper August 2013
Zmap white paper August 2013
![Page 21: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/21.jpg)
• Port 80 - ~70m
– 50% Web Servers
– 50% IoT things
• Routers
• Webcams
• VoIP Phones
• Toasters
![Page 22: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/22.jpg)
• TR-069 - ~45m – 100% IoT
![Page 23: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/23.jpg)
• We scanned 7547 (Nov 2014)
– A few times
– Help from friends (Rapid7, UMich)
• 1.18% respond
– 46,093,733 IoT devices
– All over the world
– 0.06% = 2.2m
![Page 24: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/24.jpg)
Apache 15%
KTT-SOAP 8%
mini_httpd 6%
gSOAP 19%
RomPager 52%
![Page 25: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/25.jpg)
• Embedded HTTP server by Allegro Software
– Massachusetts based company
• Optimized for minimal environments
– small binary, small memory requirements
• First introduced in 1996
• Many versions since
– Current version in 5.4
![Page 26: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/26.jpg)
98.04%
1.44% 0.51%
0.01%
RomPager 4.07
RomPager 4.51
RomPager 4.03
RomPager 4.34
![Page 27: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/27.jpg)
![Page 28: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/28.jpg)
• Dated to 2002
• Appears in many new firmwares
• 2,249,187 devices on port 80
• 11,328,029 devices on port 7547
• 200 different identified models
• 50 different brands
![Page 29: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/29.jpg)
![Page 30: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/30.jpg)
• Explore the firmware
– Firmware update is one file called “ras”
– Binwalk
Bootloader
Vendor logo
Main binary
![Page 31: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/31.jpg)
• Downloaded all the RomPager 4.07 firmwares I could find
• All of them had ZynOS header! (mipsb32)
![Page 32: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/32.jpg)
• Basic RTOS
• One binary
• No file system
• Notoriously known for the “rom-0” vulnerability (CVE-2014-4019)
– 1,219,985 vulnerable world-wide (May 2014)
![Page 33: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/33.jpg)
![Page 34: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/34.jpg)
http://192.168.1.1
![Page 35: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/35.jpg)
http://192.168.1.1:7547
![Page 36: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/36.jpg)
• Fuzzing over http headers
• Crashed on username sub-header of digest authentication
{Authorization: Digest username=‘a’*600}
![Page 37: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/37.jpg)
![Page 38: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/38.jpg)
![Page 39: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/39.jpg)
• Open up the router, looking for JTAG
• No JTAG
• U-ART?
![Page 40: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/40.jpg)
![Page 41: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/41.jpg)
• Unprotected strcpy
• 1. send large username
• 2 overwrite function pointer with ptr to shellcode
• 3 profit!
• Too easy?
![Page 42: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/42.jpg)
• Each device/firmware version has a different address space layout (“Nature’s ASLR”)
• If you know your target firmware and the exact memory layout, you can run code without too much hassle
• Attacker gets one chance per router because of dynamic IP allocation
• A potential generic solution would include finding an anchor for the shellcode using another infoleak vuln.
• That could work, but let’s keep looking!
![Page 43: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/43.jpg)
• ZynOS has unknown memory access debug primitives in serial
– Pre-boot
• Dynamic reversing is very slow
– Patch, crash, repeat
• No JTAG support
• ZORDON - ZynOs Remote Debugger (Over the Network)
– Breakpoints
– View/Edit Memory and registers
![Page 44: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/44.jpg)
• Each incoming HTTP request populates a pre-allocated “request
structure”.
– No dynamic memory allocation, remember?
• RomPager 4.07 handles processing of up to 3 concurrent
requests (3 pre-allocated structures)
• By sending 3 consecutive requests, one can overwrite the HTTP
handlers structures
![Page 45: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/45.jpg)
![Page 46: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/46.jpg)
• How can you exploit this?
– Blind memory read (by replacing the HTTP header string ptr)
• Problem: only works on
port 80.
– already have “rom-0”
for that
![Page 47: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/47.jpg)
![Page 48: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/48.jpg)
• Rom pager supports cookies
– No dynamic memory allocation, remember?
• Pre-allocated cookies array
– 10 cookies, 40 bytes long each
– C0,C1,C2,…,C9
![Page 49: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/49.jpg)
![Page 50: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/50.jpg)
• Arbitrary memory write relative to a fixed anchor in the RomPager internal management struct – Pretty much controls everything RomPager does
– Overflow 32-bit for negative offsets
• Non-harmful example as a POC:
• The technique works on any model of any brand that we had access to
![Page 51: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/51.jpg)
With a few magic cookies added to your request
you bypass any authentication and browse the configuration
interface as admin, from any open port.
![Page 53: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/53.jpg)
![Page 54: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/54.jpg)
• Cancel Internet subscription
• Alternative firmware
• Don’t buy these models until they’re fixed http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
![Page 55: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/55.jpg)
AllegroSoft OEM Chipset Vendor
Device Manufacturers
• ASUS
• D-LINK
• HUAWEI
• TP-LINK
• ZTE
ISPs
![Page 56: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/56.jpg)
• We contacted AllegroSoft and the major affected vendors
– Provided full description of the vulnerability and a non-harmful POC that triggers it
• Despite some broken English, the message got through
– Most of the time
– Some patched firmware already out
• AllegroSoft – “Can’t force any vendor to upgrade to latest version” (they actually
provided a patched version in 2005)
![Page 57: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/57.jpg)
• Is RomPager bad?
– No, they were actually very responsive and security aware. We just happened to research an old version of their software.
• Is this an intentionally placed backdoor?
– Doesn’t look like it.
• Can you share the exploit? – No.
• Can you tell me which IPs are affected in my country?
– Scan 80 + 7547 + custom ISP TR-069 connection request ports
![Page 58: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/58.jpg)
• We found a pretty serious vulnerability in the most popular
service exposed in IPv4.
– As far as we know
Hey industry, fix this.
![Page 59: The Internet of TR-069 Things · •Each device/firmware version has a different address space layout (“Nature’s ASLR”) •If you know your target firmware and the exact memory](https://reader034.fdocuments.in/reader034/viewer/2022042123/5e9eb413936e0b0cb87aa623/html5/thumbnails/59.jpg)